Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

please excuse... as it is very basic... AND in search or WHERE..what is diff

Raj_Splunk_Ing
Explorer
‎10-09-2024 09:53 AM

Hi All,

Thanks for your time. I am sorry in advance as this is very basic question. just started exploring the search query.. If i have something like below

index=ADFS_AWS
AND clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc")

This is searching only for these clientIds   - option1

or with Where

Where clientID IN (clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc")

which one should we be using and more efficient

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sainag_splunk
Splunk Employee
Splunk Employee
‎10-09-2024 09:58 AM

Hi @Raj_Splunk_Ing No need to apologize - we all start somewhere, and asking questions is how we learn! Let's break down your question about using AND ... IN (...) versus WHERE ... IN (...) in Splunk searches.

Both of your examples will work, but there are some slight differences:

 

AND ... IN (...):
index=ADFS_AWS AND clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc")

 

This is part of the main search string and is evaluated early in the search process.

 

  • Using WHERE:
     
    index=ADFS_AWS | WHERE clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc")
    The WHERE command is a separate search command that filters results after the initial search.

In terms of efficiency:

  • For most cases, they'll perform similarly.
  • The AND version might be slightly faster as it's applied earlier in the search process.
  • The WHERE version is more flexible if you need to do more complex filtering.

Remember, the best approach often depends on your specific data and use case. Don't hesitate to test both and see which works better for you!

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-09-2024 12:49 PM

AND is just a boolean operator for the (in this case) implied search command. If you don't specify any explicit command at the beginning of your search Splunk inserts an implied search one so your search is actually

| search index=something field=value another_field IN (value1,value2,...)

And the AND boolean operator is implied for search terms if another operator isn't specified so the search above is equivalent to

| search index=something AND field=value AND another_field IN (value1,value2,...)

You can of course use other boolean operators to make more complex search conditions like

| search (index=something sourcetype=something) OR (index=another host=host1 NOT source=/var/log/m3essages)

So AND is not a command.

As per the difference between adding another condition to the initial search and using the "where command" the where command uses different matching conditions - search can only match fields with static values (possibly wildcarded) whereas where can use way more complicated conditions possibly using evaluation functions or dynamic comparison between field values.

But the where command operates on a stream of results coming from previous command.

So there will be a difference in performance. How big that difference will be depends on the actual conditions used.

EDIT: And I can't agree with @sainag_splunk on the performance being generally similar.

Reply
Solved! Jump to solution

Raj_Splunk_Ing
Explorer
‎10-09-2024 02:42 PM

Thank you PickleRick 
AND is working as an implicit AND operator which filters data ...but WHERE is used to filter on top of the results that are pulled BEFORE the WHERE command. If the data returned is huge we will see the diff of filtering out using these 2 options....
WHERE has lot more options when it comes to filtering out something.....

 

Thank you all

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-10-2024 12:58 PM

It's also worth explaining why the where command is usually way slower than adding another condition to the original search (or adding another search command in the pipeline).

Firstly, Splunk is relatively smart and when it sees

search condition1 | search condition2

it internally optimizes it out and treats it as

search condition1 AND condition2

But that's a minor point here.

The major point (and that's really very important in understanding why some things work faster with Splunk than others) is _how_ Splunk searches the indexes for data.

Your typilcal "other solution" (like RDBMS or some object database which indexes documents) splits the data into discrete fields on ingestion and holds each of those fields in a separate "compartment" (we can call it columns in database table, we can call it object properties, doesn't matter here). So when you have to look for key=value pair, the solution looks into the "drawer" called "key" and looks for "value".

Splunk (mostly; the exception being indexed fields) works the other ways around. It stores the "values" in form of tokens into which it splits the input data. And during searching if you search for key=value condition it searches for all events containing the "value" token and parses all of them to see if the value is in the proper place within the event to match the defined extraction for key. Of course the more values you're looking for (because you have separate conditions for many fields containing separate values like key1=value1 AND key2=value2 AND key3=value3 and so on), the lower is the count of events containing all those values at the same time and the fewer events Splunk has to actually parse to see if those field definitions match what you're searching for.

So if you're adding more conditions to your search by AND you're telling Splunk to consider fewer and fewer events in your search.

But where does not work like that. Where works only as a streaming command and has to process all the events that come from the preceeding command(s).

So for example, if you have in your index 100 thousands events of which 10000 contain "value1", 10000 contain "value2" (1000 of them overlap and contain both of those values), if you're searching for

index=myindex key1=value1 key2=value2

Splunk has to only parse 1000 events which contain both values at the same time to find if they contain it in places corresponding to key1 and key2 respectively.

But if you do

index=myindex key1=value1 | where key2="value2"

Splunk has to parse all 10000 events containing value1 to see if they match key1. From the resulting set of this search it needs to match all events where key2="value2".

Even worse if you just did

index=myindex | where key1="value1" AND key2="value2"

Splunk then would have to read all 100k events from your index and parse those two fields out of them to later compare their values with the given condition.

To show you what difference that can make an example from my home lab box.

index=winevents EventCode=4799 EventRecordID=461117

I ran this search over last 30 days.

This search has completed and has returned 1 results by scanning 1 events in 0.278 seconds

EventRecordID is a pretty unique identifier so Splunk already had only a single record to check.

If we move this condition to the where part

index=winevents EventCode=4799 
| where EventRecordID=461117

We get

This search has completed and has returned 1 results by scanning 9,768 events in 1.045 seconds

As you can see, Splunk had to do much more work because I had 9768 events which matched the value 4799 (and from the further job inspection which I'm not pasting here I see that all of them were in the EventCode field) and all those events had to be processed further by the where command.

It's still relatively fast, because 10k events is not that much but it's about 4 times slower (the difference on bigger sets would be more noticeable - here the big part of the time used is just spawning the search).

If we move both conditions to the where part:

index=winevents 
| where EventCode=4799 AND EventRecordID=461117

We still get the same 1 result which is not surprising but...

This search has completed and has returned 1 results by scanning 63,740 events in 6.017 seconds

I have exactly 63740 events in the winevents index and they all had to be parsed and processed further down the pipeline by the where command. And it's no wonder that since there's about 6 times more events to process than in previous variant it took about 6 times as much time.

So yes, where is a fairly sophisticated and flexible command letting you do many things that ordinary search command won't but the tighter you can "squeeze" your indexes with the initial search the better the overall performance.

0 Karma
Reply
Solved! Jump to solution

sainag_splunk
Splunk Employee
Splunk Employee
‎10-09-2024 02:30 PM

Hey @PickleRick , thanks for calling that out. You're absolutely right, and I totally dropped the ball on some of those details. My bad.

I was trying to keep things simple  but I guess I oversimplified a bit too much while typing. You nailed it with the AND being an operator, not a command. That's a rookie mistake on my part.

About the performance thing - yeah, I should've been clearer. For simple stuff, it might not make a huge difference, but you're spot on that it can matter a lot with complex searches or big data sets.

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Explorer
‎10-09-2024 12:21 PM

Hi sainag... Thank you so much for your guiance

0 Karma
Reply
Solved! Jump to solution
Solution

sainag_splunk
Splunk Employee
Splunk Employee
‎10-09-2024 09:58 AM

Hi @Raj_Splunk_Ing No need to apologize - we all start somewhere, and asking questions is how we learn! Let's break down your question about using AND ... IN (...) versus WHERE ... IN (...) in Splunk searches.

Both of your examples will work, but there are some slight differences:

 

AND ... IN (...):
index=ADFS_AWS AND clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc")

 

This is part of the main search string and is evaluated early in the search process.

 

  • Using WHERE:
     
    index=ADFS_AWS | WHERE clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc")
    The WHERE command is a separate search command that filters results after the initial search.

In terms of efficiency:

  • For most cases, they'll perform similarly.
  • The AND version might be slightly faster as it's applied earlier in the search process.
  • The WHERE version is more flexible if you need to do more complex filtering.

Remember, the best approach often depends on your specific data and use case. Don't hesitate to test both and see which works better for you!

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...